Intrusion detection, web proxy, and other types of security enforcement platforms detect and then perform one or more of various available actions upon the traffic as it passes, including but not limited to blocking, allowing, or logging the event for later analysis. Some systems perform analysis in addition to the logging. One exemplary type of security enforcement platform is a cloud-based distributed security system, such as available from Zscaler, Inc., the assignee of the present application. Such distributed security systems are multi-tenant and can manage thousands or even millions of user devices, seamlessly regardless of location, platform, device type, etc. Enterprise system administrators and executives have a great interest in having visibility into the behavior of their users toward the end of knowing which users constitute a particular type of risk and to what degree. Conventional approaches address the basic problem by counting negative events and comparing users on that basis. That is, conventional approaches are transaction-based for high-risk location and users, providing the top users by threat category. Thus, security, using conventional approaches, can only focus on which users have the higher transactions. In reality, users or groups with lower count negative events may actually pose a greater risk.
There is a need for more accurate techniques for determining security risks of users and groups for targeting more monitoring and protection at those users and groups, such as to address the users and groups from a security standpoint who are the highest risk, not necessarily the highest negative count of transactions.